Google Two-Step Authentication Spreads Across the Globe
September 16, 2011
At last, “Google Rolls Out Safer Two-Step Authentication in 150 Countries,” reports Softpedia. Google debuted the more rigorous verification earlier this year, but only in its English language incarnation. Now, another 40 languages and 150 localized Web sites are on board.
Writer Lucian Parfeni explains the revised method:
With two-step verification, or authentication, users have to provide a unique code along with their account credentials. This code is only available via their phones, ensuring that unauthorized persons, with no access to the phone, can’t get in even if their credentials have been compromised, or at least making it significantly harder.
This is good news. The new process is slightly more annoying, but the increased security is worth the small hassle. Well, to me, anyway. Then again, I’m not one to use “password” as my password, either.
Some might say, “Good move, Google.”
Cynthia Murrell, September 16, 2011
Sponsored by Pandia.com, publishers of The New Landscape of Enterprise Search
SQL Injection: Knowledge Prevents Problems
September 14, 2011
Our modern lives are controlled by databases: health records, financial records, education records, and online search. Even when you are not personally interfacing with a database, there is usually one behind the scenes controlling your enrollment, appointment time, or access to any given record. SQL is a computer database language used to write or create such databases and is vulnerable to hacking through a technique called SQL injection.
SQL injection exploits a security vulnerability in the database layer of an application, like queries. It’s considered one of the top 10 web application security vulnerabilities. Our culture of free access to information can be used for good or for evil. One example is this SQL Injection Pocket Reference.
Freely available on the Web, this pocket guide explains the ins and outs of SQL injection. The author could argue that this guide helps creators build more secure databases by recognizing mistakes in the framework or areas of weakness. However, a stronger argument could be made that such a reference is more of a “hacking for dummies” guidebook than anything else. Anyone who’s ever suffered an email or bank account hack would like to see such information be a little harder to find.
We are not fans of hacker related information or the hacker ethos. Information can prevent missteps. We suggest you consider learning about SQL injection and then double checking that you are not vulnerable.
Emily Rae Aldridge, September 14, 2011
Sponsored by Pandia.com, publishers of The New Landscape of Enterprise Search
Social Media: Making the Personal Impersonal
August 25, 2011
Search engines are now using social media data to rank query results. As crazy as it sounds, your Tweets could now alter the way Google gives you information on such benign things as “George Washington” or “grilled cheese sandwiches.” eSchool News takes a look at how “New Web-Search Formulas Have Huge Implications for Students and Society.”
Search results now differ from person to person based on algorithms have been altered to include social media data. Knowing that most people don’t go past the second page of results, they have tailored their ranking system to consider links you have clicked on and create a filter system based on those previous links. This isn’t something ground breaking since Amazon and Netflix have been using it for years to recommend books and movies, but is new to the major search engines.
At the 2011 Technology, Entertainment, and Design talk, Eli Pariser, the author of The Filter Bubble, shared his reservations with the “invisible algorithmic editing of the web.” He believes it only shows us what it thinks we want and not what we need to see.
[I]t was believed that the web would widen our connections with the world and expose us to new perspectives, Pariser said: Instead of being limited to the newspapers, books, and other writings available in our local communities, we would have access to information from all over the globe. But thanks to these new search-engine formulas, he said, the internet instead is coming to represent ‘a passing of the torch from human gatekeepers [of information] to algorithmic ones.’ Yet, algorithms don’t have the kind of embedded ethics that human editors have, he noted. If algorithms are going to curate the world for us, then ‘we need to make sure they’re not just keyed to [personal] relevance—they also should show us things that are important, or challenging, or uncomfortable.’
It seems that search engines may be focusing on personal factors, but are not personalizing the process. The user has no control over results. That customization is left to a rigid algorithm. If a restaurant says that they make burgers “made-to-order,” then I expect to be able to pick mustard and onions on one visit, and pick cheese and ketchup on the next visit. The server should not just look at my past orders and make an educated guess. There is nothing “personal” about that.
Could this lead some well meaning people down an unintended and risky path to censorship-by-computer. Users must gain more control over these search formulas. There are certainly times when social media parameters are acceptable, but sometimes you want and need to see the other side. It depends if you are settling an argument between your friends over song lyrics or writing a thesis on communism. Until users are offered more liberal control, I think this “personal” ranking system will actually suppress and limit a lot of important information that users are seeking. The social impact on a search comes at a pretty high price.
Jennifer Wensink, August 25, 2011
Sponsored by Pandia.com
More Open Source Woes: Malware Problem Grows
August 25, 2011
The article, Attack on Open-Source Web App Keeps Growing, on The Register, reports of an alarming attack on the open-source online shopping application, osCommerce. The attack injects malware into the computers of users of the shopping app.
Being open-source, osCommerce is understandably a very popular product for any online vendor. There own website boasts that over 250,000 shop owners, developers and entrepreneurs utilize their product. With that being the case, Amorize’s bleak report on the number infected with the malware is no surprise. At the time of publication of the article, experts estimated over 8.3 million pages were infected.
The attack is best explained by the article:
Armorize said attackers are exploiting three separate vulnerabilities in the open source store-management application, including one that was discovered last month. Harold Ponce de Leon, the lead developer of osCommerce, said there’s only one vulnerability that’s being exploited, but he admitted that no one on his team has spoken to anyone at Armorize to reconcile the difference of opinion.
This exploitation of open-source software is bad news for not only the open-source community, but also the search industry as well. The rate at which pages are becoming infected signifies how quickly one unprotected piece of software can infect an entire community.
There is a patch for the problem but unfortunately, as evidenced by the number of infected, it is not being applied. Anytime an update is available, it is imperative that users download it immediately. If you are using open source, you may have to worry about more than legal hassles. Will this affect Lucene and other open source search solutions? Stay tuned.
Catherine Lamsfuss, August 25, 2011
Sponsored by Pandia.com
Google Enterprise Elevates Its Game with Security Certification
August 16, 2011
Google recently announced that both their Google Apps suite and their Google Apps engine have received SSAE-16 security certification. The certification could open a lot of new doors for Google in the world of enterprise. ZDNet provides coverage in, “Google App Engine Now Officially Secure.”
The certification process covers everything from physical security at the data center to making sure that only pre-cleared staff have access to customer data, to evaluating Google’s redundancy and incident reporting . . . And the bottom line to all this is that several enterprises require their cloud providers to be compliant with these standards – formerly SAS 70, and now SSAE-16. And this means that Google App Engine is open to a whole new customer base, with confidences bolstered by an authoritative second opinion.
While not a major deviation from their previous certification, the stamp of approval from the American Institute of Certified Public Accountants is good business. As data continues to grow exponentially on the web and on the cloud, security will continue to be the top priority. Continuing to redefine themselves in a way that gives them freedom to rely less on their famous search model, Google now has the security authority to venture into new realms.
Google does not seem particularly quick off the security launch pad in our opinion.
Emily Rae Aldridge, August 16, 2011
Sponsored by Pandia.com, publishers of The New Landscape of Enterprise Search
Free Program Removes DRM Controls from PDFs
August 12, 2011
We’ve found a tool that is, perhaps, a bit concerning. Softpedia presents, for free, PDF Drm Removal 1.4.2.0. The developer of the software is listed as Removedrmfromepub.com. The product description reads,
PDF Drm Removal is a professional and reliable application designed to remove DRM protections from PDF files with no quality loss. Just removes the PDF files drm header, no change on the files. Read the PDF on any supported devices!
Interesting and somewhat concerning. We understand there’s controversy over Digital Rights Management controls; some say that they stifle innovation or violate private property rights. Others say the technology unnecessarily locks documents into a format that is bound to become obsolete someday.
However, we necessarily sympathize with publishers and writers, like Stephen E. Arnold, who
rely on PDF security to safeguard documents. How else will they protect their work in the digital age?
Cynthia Murrell August 11, 2011
Symantec Snaps Up Clearwell to Enter E Discovery Market
July 20, 2011
I do some odd jobs for Enterprise Technology Management. Among them is hosting podcasts on various topics. Last week we did a podcast with several luminaries in the e discovery market. E Discovery is a term used to describe the content and text processing required to figure out what is in unstructured content gathered in a legal matter. There doesn’t have to be a law suit to trigger a company’s running an e Discovery project, but unlike search, e Discovery beckons legal eagles.
We read the article “Symantec acquires Clearwell Systems for $390m.” Perhaps best known for their antivirus software, Symantec also offers an array of information management solutions. Clearwell Systems specializes in e-discovery tools, used in response to litigation and other legal/ investigative matters.
Symantec gains much with the acquisition:
Symantec notes the acquisition will add archiving, backup and eDiscovery offerings to its existing offerings, enabling it to offer a broader set of information management capabilities to customers. The deal will help Symantec provide future product integration opportunities with Symantec backup and security, Symantec NetBackup, Data Loss Prevention and Data Insight, the company said.
This acquisition moves e-discovery to the cloud, while continuing the appliance approach.
On the podcast I learned:
- There will be a push for more hosted services. Autonomy has done a good job with its Zantaz acquisition and its hosted services, so Symantec is going down a route that leads to a pay off.
- The Clearwell approach will continue to feature its rapid deployment model. I associated the phrase “rocket docket” with Clearwell which connotes speedy service.
- The Clearwell report and user audit functions will be expanded and enhanced. I saw a Clearwell report and watched an attorney pop it in an envelope for delivery to another attorney. The system impressed me because the report did not require any fiddling by the attorney. Good stuff.
Naturally, other new services are planned. Stay tuned.
Cynthia Murrell July 14, 2011
Search and Security: Old Wine Rediscovered
July 20, 2011
There is nothing like the surprise on a user’s face when an indiscriminate content crawl allows a person to read confidential, health, or employment information. Over enthusiastic “search experts” often learn the hard way that conducting a thorough content audit * before * indexing content on an Intranet is a really good idea.
Computerworld’s new article “Security Manager’s Journal:The perils of enterprise search,” is an insight into the dangers of sloppy search parameters or what we call old wine rediscovered.
The author does a good job of addressing the security concerns that can pop up if an enterprise search is not well thought out.
If security concerns aren’t addressed, this is what you can expect: The IT team does some research, makes a choice, deploys the infrastructure and begins pointing it to data repositories. Before you know it, someone conducts a search with a term like “M&A” and turns up a sensitive document naming a company that’s being considered for acquisition, or a search for the word “salary” reveals an employee salary list that was saved in an inappropriate directory. In other words, people will be able to find all manner of documents that they shouldn’t have access to.
Thurman sites the ‘rule of least privilege’ or the rule that information should only be available to those who need to know of it. With enterprise searching, it means that queries should return only information relevant to the search and that the user is allowed to see.
All in all, a rather informative if redundant read that outlines a few security options and ideas.
What we find interesting is that such write ups have to be recommissioned. Not much sophistication in enterprise search land we fear.
Stephen E Arnold, July 20, 2011
Sponsored by ArticleOnePartners.com, the source for patent research
Booz, Allen: Alleged Security Misstep
July 13, 2011
“Anonymous Leaks 90,000 Military Email Accounts in Latest #AntiSec Attack” caught my eye. The story points out that Booz, Allen seems to have been caught with its security Brooks Brothers suit pants down. The story said:
The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel—including personnel from US CENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors. Their correspondences could include exchanges with Booz Allen’s highly brassy staff of retired defense folk: current execs include three former Directors of National Intelligence and one former head of the CIA. Anon was also kind enough to gut 4 GB of source code from Booz Allen’s servers. Anon cites the firm’s alleged complicity in the SWIFT financial monitoring program as at least partial motive for the attack.
I used to work at Booz, Allen & Hamilton. Happier times. One of my goslings quipped, “Is this the same Bozo, Allen where you worked?” Happily I pointed out that my tenure took place when there was one highly regarded firm, no debt, and no allegations of broken toes with regard to security. I hope the story is incorrect.
Stephen E Arnold, July 13, 2011
Sponsored by Pandia.com, publishers of the monograph, “The New Landscape of Enterprise Search.”
Security and Open Source: A Delicate Mix Requires a Deft Hand
July 5, 2011
I recall reading a very unusual write up with a “learning” hook. The story was “The 10 Worst Cloud Outages (and What We can Learn from Them).” The article makes lemonade from the Amazon faults, which is a combination of home grown, open source, and commercial software. The lemonade bucket is full because the same recipe is used for cloud outages at Microsoft Sidekick, Google’s Gmail (with no reference to the Blogger.com crash during this year’s Inside Search conference which focused on cloud stuff), Microsoft’s Hotmail issues, Intuit’s flubs, Microsoft’s business productivity online standard suite stumbles, Saleforce.com’s outage, Terremark’s troubles, PayPal’s hiccups, and Rackspace’s wobblies.
What the article taught me was that this cloud stuff is pretty difficult even for folks with deep pockets, lots of engineers, and oodles of customers who swallow the pitch hook, line, and sinker.
My hope is that US government funding of research into the use of open source software for security applications can route around cloud dependencies. “DHS, Georgia Tech Seek to Improve Security with Open Source Tools.” The article said:
Although parts of the government, such as the Defense Department, have embraced open-source software for a variety of applications, many agencies still view it as suspect. As a resource, Davis hopes HOST will help to dispel the “hippie in the basement” view of open-source programs — that it’s cobbled together by enthusiasts rather than teams of professional programmers. The advantage of open-source software is that users can vet the source code themselves to make an application more secure. “Having something in a cellophane wrapped box doesn’t make it safer,” he said.
A combination of cloud technology and open source might prove the undoing of a well conceived program based on open source technology. Intertwining the cloud and open source tools for security might create a interesting and difficult to troubleshoot situation. Let’s hope the approach delivers lemonade with just the right amount of sugar, not a sour concoction.
Stephen E Arnold, July 5, 2011
From the leader in next-generation analysis of search and content processing, Beyond Search.
-
- Subscribe to Beyond Search
Feature archive
News archive
-
